Attempting replacement of Machine SSL Certificate via vSphere Client returns error '[Certificate] Replace cert failed: Exception found (invalid input, not a valid PEM formatted RootChain certificate)'
Article ID: 404204
Updated On:
Products
Issue/Introduction
Certificate Replacement using vSphere Client may return either of the below errors
'[Certificate] Replace cert failed: Exception found (invalid input, not a valid PEM formatted RootChain certificate)'
ORError occurred while fetching tls: Invalid input
Environment
VMware vCenter Server 8.x
VMware vCenter Server 7.x
Cause
This issue is caused due to signing certificate chain being added is incorrectly formatted
Resolution
In order to resolve the issue, Refer to Add Custom Certificates Using the vSphere Client
Note: In case if multiple Intermediate Certificates are present, enter the certificate in the below format
-----BEGIN CERTIFICATE-----<Intermediate Certificate 2 issued by Intermediate Certificate 1>-----END CERTIFICATE----------BEGIN CERTIFCATE-----<Intermediate Certificate 1 issued by Root>-----END CERTIFICATE----------BEGIN CERTIFCATE-----<Root Certificate>-----END CERTIFICATE-----
Additional Information
The Following can help with Troubleshooting & Validation
1. Check Modulus of the Signed Certificate
openssl x509 -noout -modulus -in security.crt | openssl sha256Output:
SHA2-256(stdin)= f1f0bd5d17481fc5a72ca70b2503f4b26a917cf03d7b89b9ed66e976e31c43502. Check Modulus of the CSR
openssl req -noout -modulus -in <csr_filename>.csr | openssl sha256Output:
SHA2-256(stdin)= e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855openssl req -in <csr_filename>.csr -noout -pubkey > csr_pubkey.pem openssl x509 -noout -modulus -in csr_pubkey.pem | openssl sha256Feedback
